Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Monday, March 21, 2011

The negative impact of AT&T's purchase of T-Mobile on the market for privacy

Yesterday, AT&T announced that it will be purchasing T-Mobile, the fourth largest wireless carrier in the US. While there are many who have raised antitrust concerns about this deal due to the impact it will have on the price of wireless services and mobile device/application choice, I want to raise a slightly different concern: the impact this will have on privacy.

While it is little known to most consumers, T-Mobile is actually the most privacy preserving of the major wireless carriers. As I described in a blog post earlier this year, T-Mobile does not have or keep IP address logs for its mobile users. What this means is that if the FBI, police or a civil litigant wish to later learn which user was using a particular IP address at a given date and time, T-Mobile is unable to provide the information.

In comparison, Verizon, AT&T and Sprint all keep logs regarding the IP addresses they issue to their customers, and in some cases, even the individual URLs of the pages viewed from handsets.

While privacy advocates encourage companies to retain as little data about their customers as possible, the Department of Justice wants them to retain identifying IP data for long periods of time. Enough so that T-Mobile was called out (albeit not by name) by a senior DOJ official at a data retention hearing at the House Judiciary Committee back in January:

"One mid-size cell phone company does not retain any records, and others are moving in that direction."

If and when the Federal government approves this deal, T-Mobile's customers and infrastructure will likely be folded into the AT&T mothership. As a result, T-Mobile's customers will lose their privacy preserving ISP, and instead have their online activities tracked by AT&T.

After this deal goes through, there will be three major wireless carriers, all of whom have solid track records of being hostile to privacy:

AT&T, a company that voluntarily participated in the Bush-era warrantless wiretapping program in which it illegally disclosed its customers communications to the National Security Agency.

Verizon, a company that similarly voluntarily participated in the warrantless wiretapping program, and then when sued by the Electronic Frontier Foundation, argued in court that it had free speech right protected by the 1st Amendment to disclose that data to the NSA.

Sprint, a company that established a website so that law enforcement agencies would no longer have to go through the trouble of seeking the assistance of Sprint employees in order to locate individual Sprint customers. This website was then used to ping Sprint users more than 8 million times in a single year.

The market for privacy

Today, privacy is largely an issue risk mitigation for firms. Chief Privacy Officers are tasked with protecting against data breaches, and class action lawsuits related to the 3rd party cookies that litter companies' homepages. The privacy organizations within companies do not bring in new customers, or improve the bottom line, but protect the firm from regulators and class action lawyers.

Recently, there are signs that this may be changing. Microsoft and Mozilla are now visibly competing on privacy features such as "Do Not Track" built into their web browsers. Several venture capital firms have invested cash into firms like Reputation.com and Abine who are selling privacy enhancing products to consumers.

To be clear, the market for privacy is in its infancy. As such, the government should be doing everything possible to nurture and encourage such growth. It is for that reason that the FTC should not permit the one and only privacy protecting major wireless carrier to be swallowed up by AT&T, a company that has repeatedly violated the privacy of its customers.

The FTC should lead the government's investigation into this deal, and should reject it on privacy grounds

When the FTC approved Google's merger with Doubeclick in 2007, then Commissioner Pamela Jones Harbour raised the issue of privacy in her dissent (pages 9-12). As I think history now confirms, the FTC erred in ignoring Commissioner Harbour and not considering the issue of privacy in the Google deal. However, many of her comments similarly apply to the AT&T/T-Mobile deal.

While the FTC cannot turn back the clock on Google/Doubleclick, it can and should protect the privacy of the millions of T-Mobile subscribers. The FTC should block this merger. However, even if the deal is permitted to go through, the FTC should at least extract strict privacy guarantees from AT&T that include a policy of not retaining IP address allocation or other Internet browsing logs.

If the FTC, Commerce Department and Congress want the market to provide privacy to consumers, then they need to make sure that consumers have options in this area. Without options, informed consumers cannot vote with their wallets. Companies that choose to go the extra mile to protect privacy should be rewarded for doing so, and not, when the market for privacy is so young, be swallowed up by those that steamroll over their customers' desire to keep their data safe.

2 comments:

As a former Verizon customer, I looked into multiple other cellular providers in my quest for a new service provider. I found something which I find very disturbing, and I think casts an interesting light upon your post.

Verizon, AT&T, and Sprint collectively represent the vast majority of the old Ma Bell system. Given the degree of cozy partnerships and joint ventures, it seems that the break-up of the old Bell system has failed. AT&T has, in a fashion, reformed itself via four companies (Qwest holds the remainder of the Bell system.)

All four of these providers are providing essentially the same services, at the same rates, but with different colour schemes. If that is not collusion, I do not know what is.

After the buy-out of AllTel by Verizon, T-Mobile was the last major non-Bell service provider. How curious AT&T would want to buy it up!

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.